Building an STS

[Starting with the .NET Framework 4.5, Windows Identity Foundation (WIF) has been fully integrated into the .NET Framework. The version of WIF addressed by this topic, WIF 3.5, is deprecated and should only be used when developing against the .NET Framework 3.5 SP1 or the .NET Framework 4. For more information about WIF in the .NET Framework 4.5, also known as WIF 4.5, see the Windows Identity Foundation documentation in the .NET Framework 4.5 Development Guide.]

The STS is the component of an issuing authority that is responsible for accepting incoming requests, validating and decrypting incoming security tokens, extracting claims from incoming tokens, packaging claims into outgoing security tokens, and encrypting outgoing security tokens. WIF makes it easy to build your own STS by handling these details, and also provides extensibility points that let you implement your security policy. A policy answers questions such as the following.

  • For what relying party applications am I providing security tokens?

  • What claims do those applications care about?

  • How should I authenticate users?

  • Do different applications have different security requirements?

  • What partners am I federating with?

In most cases, your best choice is to use an existing STS such as Active Directory® Federation Services (AD FS) 2.0. You should use WIF if you need to implement a security policy that existing STSes don’t support.

For more information about building an STS, see How to: Build an ASP.NET STS and How to: Build a WCF STS.

STS Architecture

You create your own STS by deriving from SecurityTokenService, which is provided by WIF. You must implement the following two methods on this class:

  1. GetScope. This method takes the caller’s IClaimsPrincipal and the incoming RST and returns the configuration for the token issuance request, which is represented by the Scope class. In this method, you can normalize the relying party’s address and choose signing and encryption keys. Typically, security tokens are encrypted so that only the relying party can read them.

    EncryptingCredentials determines whether or not tokens are encrypted. TokenEncryptionRequired and SymmetricKeyEncryptionRequired also default to true to prevent the STS from issuing insecure tokens.

  2. GetOutputClaimsIdentity. This method takes the caller’s IClaimsPrincipal, the incoming RST, and the Scope object returned from GetScope, and returns the IClaimsIdentity to be included in the issued token. This lets you decide which claims are included in the token.

For sample implementations of these methods, see the samples or the topics ASP.NET Security Token Service Web Site and WCF Security Token Service.